Queens Series Release Notes¶

6.0.1-12¶

Added new options to the PKCS#11 Cryptographic Plugin configuration to enable the use of different encryption and hmac mechanisms. Added support for CKM_AES_CBC encryption in the PKCS#11 Cryptographic Plugin.

Deprecated the p11_crypto_plugin:algoritm option. Users should update their configuration to use p11_crypto_plugin:encryption_mechanism instead.

Deprecated the generate_iv option name. It has been renamed to aes_gcm_generate_iv to reflect the fact that it only applies to the CKM_AES_GCM mechanism.

Fixed Story #2004734: Added a new option always_set_cka_sensitive to fix a regression that affected Safenet HSMs. The option defaults to True as required by Safenet HSMs. Other HSMs may require it be set to False.

This release notify that we will remove Certificate Orders and CAs from API.

Why are we deprecating Certificate Issuance? There are a few reasons that were considered for this decision. First, there does not seem to be a lot of interest in the community to fully develop the Certificate Authority integration with Barbican. We have a few outstanding blueprints that are needed to make Certificate Issuance fully functional, but so far no one has committed to getting the work done. Additionally, we’ve had very little buy-in from public Certificate Authorities. Both Symantec and Digicert were interested in integration in the past, but that interest didn’t materialize into robust CA plugins like we hoped it would. Secondly, there have been new developments in the space of Certificate Authorities since we started Barbican. The most significant of these was the launch of the Let’s Encrypt public CA along with the definition of the ACME protocol for certificate issuance. We believe that future certificate authority services would do good to implement the ACME standard, which is quite different than the API the Barbican team had developed. Lastly, deprecating Certificate Issuance within Barbican will simplify both the architecture and deployment of Barbican. This will allow us to focus on the features that Barbican does well – the secure storage of secret material.

Will Barbican still be able to store Certificates? Yes, absolutely! The only thing we’re deprecating is the plugin interface that talks to Certificate Authorities and associated APIs. While you will not be able to use Barbican to issue a new certificate, you will always be able to securely store any certificates in Barbican, including those issued by public CAs or internal CAs.